PKI gets shot in the arm from HSPD-12

FIPS-201 and mandate give agencies means and motive to develop apps

Early benefits of PKI

Secure e-mail, document signing and workflow. Requiring every employee to have a digital certificate makes it easier for agencies to perform these functions, which had been deemed too expensive, said Tim Polk, the National Institute of Standards and Technology's PKI program manager.

Alternative to passwords. By placing a reader on the desktop, IT officials will no longer have to manage multiple user name and password databases. Agencies also can improve the security of virtual private networks to give telecommuters easier access to agency applications.

EnhancED physical security. Polk said that having digital certificates will make it easier for employees to get into other another agency's building because the visitor can be authenticated quickly and given access only to authorized buildings and systems.

Network access. Dan Turissini, chief executive officer of Operational Research Consultants Inc. of Fairfax, Va., said agencies should consider deploying a common validation scheme using Online Certificate Status Protocol, and at the very highest levels they could set up applications to do authentication and validation to the network. This also would let agencies use the OCSP infrastructure for other applications used by a large number of employees.

In 1995, when Tim Polk began working full time on developing standards and guidance for using public-key infrastructure applications, he figured it would be a two- or three-year project.

But 11 years later, Polk, the National Institute of Standards and Technology's PKI program manager, still is helping agencies adopt the technology.

'There has never been a killer app for PKI,' Polk said recently at a conference sponsored by Input Inc. of Reston, Va. 'We spent a lot of time looking for it, but there was nothing so compelling that made agencies buy and install PKI to support one app.'

While that killer app still may never come, Polk said Homeland Security Presidential Directive-12 should provide the impetus for every agency to use PKI more widely.

Helps to have standards

'We needed a centralized driver because it was hard to compute return on investment,' Polk said. 'HSPD-12 and [Federal Information Processing Standard] 201 change everything. It is not the killer app we have been looking for ... [but] a lot of pieces of the interoperability puzzle have been solved.'

Polk added that, because PKI is a central piece of FIPS-201, agencies and industry now have standards around which they can develop and implement software.

FIPS-201 standardized biometrics, and the key size and algorithm it will support.

'It used to be that, when you wanted to cross this divide, you had all these questions out there,' Polk said. 'Now the hardest ones are resolved.'

But Polk isn't unrealistic about how quickly agencies will adopt applications such as e-mail or single-sign-on capability using PKI.

Right now, Polk said, agencies are focused on meeting the letter of the HSPD-12 mandate, which was to have the ability to issue at least one card by Oct. 27, and issue compliant cards over the next two years. Polk instead is focusing on when agencies will be able to meet the spirit of the edict, when authentication becomes routine.

'If you look at the Department of Defense's experience, it shows this takes a long time to get people used to using PKI as a part of business,' he said. 'You definitely need some institutional fortitude.'

DOD has been trying to implement PKI since the mid-1990s, and only this past year did the Defense Information Systems Agency mandate its use, calling for systems to be in place by July 31. About 80 percent of DOD met the mandate, officials have said.

Dan Turissini, chief executive officer of Operational Research Consultants Inc. of Fairfax, Va., one of four PKI shared-services providers for HSPD-12, said the key to widespread use is a combination of having a reason to use it and implementing the hardware to use it on.

'We still have to deploy and make sure everyone gets a reader in their keyboard or laptop, or a USB reader,' he said. 'That is a challenge and expense that is not budgeted for. And then we need the apps. At the end of the day, there aren't a lot of access points that are PKI-enabled.'

Long road ahead

But Turissini agreed with Polk that HSPD-12 is a platform for agencies and gives industry a way to push it forward.

Turissini points to DOD's slow walk to PKI as an example of what many other agencies will face.

For instance, DOD required its employees to have a PKI certificate only this October for its Contractor Performance Assessment Reporting System, and for architect-engineer and construction reporting systems. Vendors had until Nov. 1 to obtain a PKI to access these sites.

'The lesson we learned at DOD is that the deployment of individual credentials is important, but it's maybe half or less of the story,' Turissini said. 'Today, to get into a Web app or PKI-protected network or e-mail server, you still need to apply cert to that app or device and then configure the app to do validation. There is a lot more work that needs to be done, but it is a big step to have individual credentials.'

Turissini said agencies without PKI-enabled applications should look for the programs that have the biggest user base and then reuse the validation scheme. He also suggested that if agencies PKI-enable their network access it will go a long way toward improving security and spreading the use of the technology to applications.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above